Point of Sale skimmer that prints out real-seeming receipts

From the Boing Boing Shop

Popular Posts

Follow Us

Brian Krebs reports on a terrifyingly real-seeming Point of Sale skimmer: a device that looks and feels just the thing you normally stick your credit-card into and then enter your pin into, which can print out a real-seeming receipt showing the transaction was approved by your bank. Instead, what this thing does is record your card number, PIN, and other information needed to replicate your card and use it to clean out your account.

This miscreant sells two classes of pre-hacked wireless Verifone POS devices: The Verifone vx670, which he sells for $2,900 plus shipping, and a Verifone vx510, which can be had for $2,500. Below is a video he posted to youtube.com showing a hacked version of the vx510 printing out a fake transaction approval receipt.

From the seller’s pitch: “POS is ‘fake’ and stores D+P [card data and PIN], prints out approved receipt or can be setup for connection error. Software to decrypt the data is provided. It keeps d+p inside memory for manual retrieval via USB cable.”

The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, […]

A Pittsburgh-area man was charged with disorderly conduct after telling Verizon store staff that he was “definitely part of ISIS” and talking about ISIS on the store’s demo handsets. When asked to leave the store, Fleming said “he wouldn’t leave the store and that he was definitely part of ISIS,” the complaint said. He also […]

Last year’s Hello Barbie chatbot toy sent all your kid’s speech to cloud servers operated by Mattel and its tech partner, but only when your kid held down Barbie’s listen button — new chatbot toys like My Friend Cayla and the i-Que Intelligent Robot are in constant listening mode — as is your “OK Google” […]

The Black Friday Mac Bundle 2.0 is one of the Boing Boing Store’s best-selling Mac bundles yet, and it’s about to come to an end. If you don’t get your copy now, here’s what you’ll be missing:This bundle comes packing 9 top-rated Mac apps in one package, at the hugely discounted price of just $23.99. […]

The Boing Boing Store’s Gift Guide is full of ideas for pretty much anyone in your life like hipster ice cub trays, Xbox controllers, Halo Boards, and even diamond necklaces. As always, all products in the Boing Boing Store come at great discounts, too. Shop by price bucket starting at under $20. Under $20:Bloxx Jumbo Ice Trays […]

Unlike traditional lighters, the SaberLight features an electronic plasma beam that’s both rechargeable and butane-free. This sleek lighter is even approved by TSA, so you’ll never be stuck buying lighters you’ll just have to throw away partially used. For some people, like me, this is a pretty big game-changer. The SaberLight’s beam is actually both hotter and cleaner […]

You must be in one of the more enlightened countries. Over here in the technological backwaters of the U.S. magnetic strip is still king. Sure some of the fancier stores may have the tap to pay option, but it is always alongside a mag stripe reader.

Not really, its possible you could have a device switched by a member of staff, or even someone brazen enough to pass themselves off as a member of staff. I imagine its best situation is outdoor cafes etc. watch the waiter/ess deliver the receipt then the fraudster walks over with the pad and does the transaction before the staff member comes back.

The weakness on this device is its portability, so in my mind the easy test is a fake pin, if it accepts it its a phoney since a real pinpad checks the pin thats held on the card – you get 3 attempts so you can afford one test.

Counter / fixed pinpads at least are connected to Ethernet / phoneline so there’s some reassurance that its genuine.

Is a false negative less suspicious than a false positive? You can be sure you entered the wrong PIN, but how sure are you really that you entered the right PIN? This tendency has been exploited by phishers for a while, where they have you enter all your info on a fake site, then when you submit the page, they give you an authentication error and bounce you to the real site to “try again”.

Yes. Frequently, when I have a potassium level drawn, it comes back life-threateningly high, presumably due to hemolysis. I go back for a redraw and it comes back normal. The doctor accepts the normal value and rejects the abnormal value. Think about it.

It seems to me to be fairly unlikely to encounter one of these. The store owner would have to be the one trying to steal your card information, they would have to be losing out on every store purchase (since this thing doesn’t actually send anything to VISA etc), and they’d have to be hoping that none of the people that whose accounts they clear out will look at their transactions and notice one missing, or remember the last few places in which they used their card.

A more worrying situation would be a firmware hack on a real POS device (or a router that simply stores the info and some good decryption) that allowed transactions to still go through but recorded the details, allowing the owner to sell the occasional card number at a much later date. My guess is that the encryption on POS devices makes this second senario much less likely, however.

Makes a decent argument for ditching debit cards. Either pay cash, or use a credit card. Credit card info can still be stolen but at least there’s a process in place to have fraudulent charges reversed. If they get your debit card and clean out your bank account, there’s no recourse available.

Debit cards may not have precisely the same built-in legal protections as credit cards (I don’t know), but as a practical matter, I know from repeated experience that banks and/or their affiliated finance companies treat them the same way. You report the fraudulent charges, they do a cursory investigation, the money reappears in your account. At least that’s the case in the American context.

I’m not one to give banks a lot of credit in this or any other regard, but debit card numbers get stolen all the time, just like credit card numbers. Nobody would use debit cards at all if there were no recourse.